1 / 32

CSC 49 7 /583 Advanced Topics in Computer Security Modern Malware Analysis

This course covers the basics of modern malware analysis, with a focus on DLL injection. Topics include virtual machines, static analysis, behavior analysis, and the source code of a "Hello World" malware example.

jmamie
Download Presentation

CSC 49 7 /583 Advanced Topics in Computer Security Modern Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Class2 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Basic Analysis, DLL Injection Si Chen (schen@wcupa.edu)

  2. Course Outline • Introduction • Virtual Machine • Static Analysis • A “Hello World” Malware Example: DLL Injection (hack_dll.zip) • Behavior • Analysis • Source code • DLL Injection

  3. Virtual Machines • What is a virtual machine? • Simply, a computer in your computer • Really, a segregated virtual environment that emulates real hardware • There are different types/methods VirtualBox  VMware  Parallels 

  4. Virtual Machines • Why are we using a virtual machine? (for this course) • Safety, reliability, consistency, it’s easy • Keep the malware in a contained environment • Snapshots • Completely 100% revert the VM to an earlier state • If things go bad, no one cares

  5. Static Analysis • Analyzing a sample without executing any code • Safe • Infer functionality • Provides a lot of useful information to guide dynamic and advanced analysis • Lots of tools involved • Can be an easy way to find signatures • URLs, filenames, registry keys

  6. Let’s try our first “Malware” • Download and run XP VM image • Open command line terminal and go to C:\Work • Open a Notepad • Open DebugView • Open Process Explorer and find the PID of Notepad • In command line, type • InjectDll.exe<PID OF NOTEPAD> myhack.dll

  7. Screenshots

  8. Screenshots

  9. Dynamic-link library (DLL) • Dynamic-link library (or DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows

  10. DynamicLinking

  11. DrawbacksofStaticLinking Memory Wastespace Hardtomaintain

  12. DynamicLinking Memory

  13. DynamicLinkinginLinuxandWindows

  14. DLL Injection • DLL injection is method of injecting code to some other processe’s address space and executing that piece of code on behalf of that process. • DLL injection provides a platform for manipulating the execution of a running process. • It's very commonly used for logging information while reverse engineering. • It has gained bad name for itself since it’s mostly used by malware for stealth purposes: • Hiding malicious code into system process • Winlogon.exe, services.exe, svchost.exeexplorer.exe • Open backdoor port • Connect remote server • Keylogging… • It’s also frequently used within the game hacking world to code bots

  15. DLL Injection

  16. DLL Injection

  17. DLL Injection

  18. DLL Injection

  19. DllMain()

  20. Source Code of myhack.dll

  21. Source Code of myhack.dll

  22. Source Code of myhack.dll

  23. Static analysis (myhack.dll) • Finding Strings [1] • A string in a program is a sequence of characters such as “the.” • A program contains strings if it prints a message, connects to a URL, or copies a file to a specific location. • Searching through the strings can be a simple way to get hints about the functionality of a program. • For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program. • You can use the Strings program to search an executable for strings, which are typically stored in either ASCII or Unicode format. [1]. Practical Malware Analysis, page 11

  24. Static analysis (myhack.dll)

  25. Static analysis (myhack.dll) Sometimes the strings detected by the Strings program are not actual strings.

  26. Portable Executable (PE) file • A Portable Executable (PE) file is the standard binary file format for an Executable (.exe) or DLL under Windows NT, Windows 95, and Win32. 

  27. Packed and Obfuscated Malware • Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze. • Obfuscated programs are ones whose execution the malware author has attempted to hide. • Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. • Both techniques will severely limit your attempts to statically analyze the malware.

  28. Packed and Obfuscated Malware

  29. Exploring Dynamically Linked Functions with Dependency Walker

  30. Common DLLs

  31. Exploring Dynamically Linked Functions with Dependency Walker

  32. Q & A

More Related